It’s a hacker’s wet dream: a software bug discovered in the practically ubiquitous computer program known as “Bash” makes hundreds of millions of computers susceptible to hijacking. The impact of this bug is likely to be higher than that of the Heartbleed bug, which was exposed in April. The National Vulnerability Database, a US government system which tracks information security flaws, gave the bug the maximum score for “Impact” and “Exploitability,” and rated it as simple to exploit.
The bug, which has been labeled “Shell Shock” by security experts, affects computers running Unix-based operating systems like Mac OS X and Linux. That means most of the internet: according to a September survey conducted by Netcraft, a British internet services company, just 13% of the busiest one million websites use Microsoft web servers. Almost everyone else likely serves their website via a Unix operating system that probably uses Bash.
How the “Shell Shock” bug works
Your computer has a type of program called a “shell,” which lets you give it commands like “Run my web browser” or “Open up this file.” If you use a Mac or Linux computer, that shell is probably Bash by default.
You want to be very careful about the commands you give to your shell. For example, you probably don’t want to give it commands like “Delete all my files!” or “Download a virus from an evil website!” Above all, you don’t want to give a random, malicious person on the internet access to your shell.
Unfortunately, that’s exactly what the Shell Shock bug does.
The problem arises because lots of web servers pass data into shell scripts—mini-programs that are run by the shell. Sometimes, the data that the web servers allow in can be modified by the guy on the other end of the line. For example, If I’m browsing google.com, and Google wants to take note of what web browser I’m using, I can actually modify the data that identifies my browser to trick Google into thinking I’m using Internet Explorer instead of Chrome.
Here’s where Bash does a very dumb thing: If I cleverly modify the data I pass across the network, I can trick Bash into running any command that I want. So I, a random guy somewhere on the internet, can make a web server run an arbitrary shell program commanding that server to do anything—dump a database, download a virus, or take itself off the internet.
This is very bad. And hours after Shell Shock was announced publicly, it is already being actively exploited.
Don’t cry for Google
The big, smart companies will be fine. A software patch has already been issued; Amazon rolled it out to its Web Services clients Wednesday afternoon, according to a company security bulletin. No doubt, all large, responsible tech companies have done the same.
This is a story we’ve heard before. The fallout from Shell Shock, like Heartbleed, will take place over months or years. Bash has been around since the 1980s, and many devices and systems that aren’t subject to stringent security monitoring will likely remain vulnerable until some hacker discovers them and takes control.